CVE-2012-3137
9.1 High
AI Score
Confidence
High
6.4 Medium
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.055 Low
EPSS
Percentile
93.2%
The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka “stealth password cracking vulnerability.”
Affected configurations
References
arstechnica.com/security/2012/09/oracle-database-stealth-password-cracking-vulnerability/
threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular
www.darkreading.com/authentication/167901072/security/application-security/240007643/attack-easily-cracks-oracle-database-passwords.html
www.exploit-db.com/exploits/22069
www.mandriva.com/security/advisories?name=MDVSA-2013:150
www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
www.securityfocus.com/bid/55651
Social References
More
Related
9.1 High
AI Score
Confidence
High
6.4 Medium
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.055 Low
EPSS
Percentile
93.2%